Improper Access Control in liukuo362573/yishaadmin

Valid

Reported on

Jan 24th 2022


Description

YiShaAdmin is vulnerable to Improper Access Control via the /admin/SystemManage/LogApi/GetPageListJson endpoint. Anyone can view the Log API of the YiShaAdmin without any authentication. This API contains the sensitive information include: ExecuteURL, ExecuteParam, ExecuteTime, ExecuteStatus, Request Time,...

Proof of Concept

Access this link below in an incognito browser:

http://106.14.124.170/admin/SystemManage/LogApi/GetPageListJson?pageSize=10&pageIndex=1&sort=Id&sortType=desc&UserName=&ExecuteUrl=&LogStatus=&StartTime=&EndTime=

You can view the sensitive information without login.
You can also modify the pageSize parameter to other values such as 100, 1000 to view more records.

Impact

This vulnerability is capable of Improper Access Control and sensitive data exposure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
KhanhCM modified the report
2 years ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 2 years ago
liukuo362573 validated this vulnerability 2 years ago
khanhchauminh has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit c5910a 2 years ago
The fix bounty has been dropped
LogApiDetail.cshtml#L5-L61 has been validated
LogApiIndex.cshtml#L4-L144 has been validated
to join this conversation